• Aucun résultat trouvé

Soundly Proving B Method Formulae Using Typed Sequent Calculus

N/A
N/A
Protected

Academic year: 2021

Partager "Soundly Proving B Method Formulae Using Typed Sequent Calculus"

Copied!
19
0
0

Texte intégral

(1)

HAL Id: hal-01342849

https://hal.archives-ouvertes.fr/hal-01342849

Submitted on 6 Jul 2016

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Distributed under a Creative Commons Attribution - NoDerivatives| 4.0 International

License

Soundly Proving B Method Formulae Using Typed

Sequent Calculus

Pierre Halmagrand

To cite this version:

Pierre Halmagrand. Soundly Proving B Method Formulae Using Typed Sequent Calculus. 13th

International Colloquium on Theoretical Aspects of Computing (ICTAC), Oct 2016, Taipei, Taiwan.

pp 196-213, �10.1007/978-3-319-46750-4_12�. �hal-01342849�

(2)

Soundly Proving B Method Formulæ

Using Typed Sequent Calculus

?

Pierre Halmagrand pierre.halmagrand@inria.fr

Cnam / Inria / ENS Cachan, Paris, France

Abstract. The B Method is a formal method mainly used in the railway industry to specify and develop safety-critical software. To guarantee the consistency of a B project, one decisive challenge is to show correct a large amount of proof obligations, which are mathematical formulæ expressed in a classical set theory extended with a specific type system. To improve automated theorem proving in the B Method, we propose to use a first-order sequent calculus extended with a polymorphic type system, which is in particular the output proof-format of the tableau-based automated theorem prover Zenon. After stating some modifications of the B syntax and defining a sound elimination of comprehension sets, we propose a translation of B formulæ into a polymorphic first-order logic format. Then, we introduce the typed sequent calculus used by Zenon, and show that Zenon proofs can be translated to proofs of the initial B formulæ in the B proof system.

1

Introduction

Automated transport systems have spread in many cities during last decades, becoming a leading sector for the development of highly trusted software us-ing formal methods. The B Method [1] is a formal method mainly used in the railway industry to specify and develop safety-critical software. It allows the de-velopment of correct-by-construction programs, thanks to a refinement process from an abstract specification to a deterministic implementation of the program. The soundness of the refinement steps depends on the validity of logical formulæ called proof obligations, expressed in a specific typed set theory. Common in-dustrial projects using the B Method generate thousands of proof obligations, thereby relying on automated tools to discharge as many as possible proof obliga-tions. A specific tool, called Atelier B [18], designed to implement the B Method and provided with a theorem prover, helps users verify the validity of proof obligations, automatically or interactively.

Improving the automated verification of proof obligations is a crucial task. The BWare research project [10] proposed to use external automated provers, like first-order Automated Theorem Provers (ATPs) and Satisfiability Modulo Theory (SMT) solvers, by building a common platform to run these tools. This

?

This work is supported by the BWare project (ANR-12-INSE-0010) funded by the INS programme of the French National Research Agency (ANR).

(3)

platform, based on the software verification tool Why3 [3], requires proof obli-gations to be encoded in its native language called WhyML. Mentré et al. [16] proposed a translator program called bpo2why to address this issue. This tool focuses on the translation of B proof obligations output by Atelier B into the WhyML language. Besides, the B set theory is defined directly in WhyML. Then, Why3 uses specific drivers to translate proof obligations and the theory from WhyML to the specific format of each automated tool.

The first-order ATP Zenon [6] [9], based on the tableau method and recently extended to deal with polymorphic types, has been used to prove B proof obli-gations in the BWare project and obtained good experimental results, compared to the regular version of Zenon and other automated deduction tools as well [7]. One important feature of Zenon is to be a certifying prover [8], in the sense that it generates proof certificates, i.e. proof objects that can be verified by external proof checkers. It relies on an encoding of the output proof-format of Zenon, a typed sequent calculus called LLproof, into the proof checker Dedukti [5], a tool designed to be a universal backend to certify and share proofs coming from automated or interactive provers. These proof certificates allow us to be very confident about the soundness of the proofs produced by Zenon.

An issue about using Zenon to verify B proof obligations arises in the up-stream translation chain, from B to Zenon input format. There is currently no formal guarantee that this chain is sound, and it would be a tremendous work to formalize the several steps represented by bpo2why and Why3. Instead, we decide to confirm the soundness of using Zenon to prove B proof obligations by formalizing a more general and direct translation from the B logic into a poly-morphic first-order logic (PFOL for short), close to the Zenon input format. This translation is to be proven sound, in the sense that if Zenon finds a proof then it can be turned into a proof of the initial B formula. A solution is to show a logical equivalence between Zenon and B proof system.

The B set theory is provided with a specific type system, expressed using set constructs, resulting in a lack of separation in a B formula between typing and set reasoning. To help us embed B typing constraints into PFOL, we define a procedure to annotate B variables with their types, using the type-checking algorithm of the B Method. The interpretation of these types will then be given by the translation function into PFOL. Axioms and hypotheses are generalized by translating B types to (universally quantified) type variables in PFOL. In contrast, types coming from the formula to be proved are interpreted as type constants in PFOL. In addition, we define the reverse translation from PFOL to B, letting us to reword the initial B formula. Thanks to this reverse translation and the derivations of Zenon inference rules expressed using the B proof system, we can translate Zenon proofs into B proofs, guaranteeing the soundness of our translation.

The concerns about the confidence given to ATP in the case of B proof have been resolved using the alternative approach of a certified prover and relying on a deep embedding of the B logic into the interactive prover Coq, by Jaeger et al. [14]. It has also been studied in the context of Event-B by Schmalz in [17].

(4)

The problem of type inference in the B Method was studied in other contexts, see for instance [4] for an embedding into PVS, and [13] for Coq.

This paper is organized as follows: in Sec. 2, we introduce the B Method syntax, proof system and type system, then we introduce the type annotation procedure; in Sec. 3, we present the polymorphic first-order logic and the typed sequent calculus used by Zenon; in Sec. 4, we give the translation used to encode B formulæ into PFOL; finally, in Sec. 5, we present the translation of proofs expressed in the sequent calculus of Zenon into B proofs.

2

The B Set Theory

In this section, we present the core logic and theory of the B Method. We first introduce the syntax, the proof system, the set theory and the typing rules of the B Method. Then, we introduce a procedure to annotate variables with their cor-responding types. Finally, we present an elimination procedure of comprehension sets.

2.1 Syntax, Proof System and Set Theory

The presentation below follows faithfully the first two chapters of the B-Book [1] dealing with mathematical reasoning and set theory.

Syntax. The syntax of the B Method is made of four syntactic categories, for formulæ, expressions, variables and sets. A formula, or predicate, P is built from the logical connectives conjunction, implication and negation and the universal quantification. A formula may also be the result of a substitution in a formula, the equality between two expressions and the membership to a set. An expression E may be a variable, the result of a substitution in an expression, an ordered pair, an arbitrary element in a set or a set. A variable x is either an identifier or a list of variables. Finally, a set s is built using the elementary set constructs, i.e. the cartesian product, the powerset and the comprehension set, or may be the set BIG, a given infinite set.

P ::= P1∧ P2| P1⇒ P2| ¬P | ∀x · P | [x := E]P | E1= E2| E ∈ s

E ::= x | [x := E1]E2| E1, E2| choice(s) | s

x ::= identif ier | x1, x2

s ::= s1× s2| P(s) | {x | P } | BIG

Proof System. In Fig. 1, we present the proof system of the B Method. This is an adaptation of classical natural deduction for the B syntax. It should be noted that the B-Book proposes some rules to define the notion of non-freeness of a variable x in a formula P , denoted by x\P . Since these rules are standard, we omit them here.

In the following, if x is a variable and Γ a set of formulæ, x\Γ means that x\H for each H of Γ ; if Γ0 is another set of formulæ, Γ @ Γ0 means that Γ is included in Γ0; and if P is a formula, P –@ Γ means that P occurs in Γ .

(5)

BR1 P `BP Γ `BP Γ @ Γ0 BR2 Γ0`BP P –@ Γ BR3 Γ `BP Γ `BP Γ, P `BQ BR4 Γ `BQ Γ `BP Γ `BP ⇒ Q MP Γ `BQ Γ `BP Γ `BQ R1 Γ `BP ∧ Q Γ `BP ∧ Q R2 Γ `BP Γ `BP ∧ Q R20 Γ `BQ Γ, P `BQ R3 Γ `BP ⇒ Q Γ `BP ⇒ Q R4 Γ, P `BQ Γ, ¬Q `BP Γ, ¬Q `B¬P R5 Γ `BQ Γ, Q `BP Γ, Q `B¬P R6 Γ `B¬Q x\Γ Γ `BP R7 Γ `B∀x · P Γ `B∀x · P R8 Γ `B[x := E]P R10 Γ `BE = E Γ `BE = F Γ `B[x := E]P R9 Γ `B[x := F ]P

Fig. 1. The Proof System of the B Method

Set Theory. As presented in the B-Book, the B Method set theory is a simpli-fication of classical set theory. Some common axioms, like the foundation axiom, are not needed in this context (see Sec. 2.2), leading to a theory made only of six axioms. Actually, axioms presented below are axiom schemata that have to be instantiated with some proper expressions. The first column represents non-freeness proviso. E, F ∈ s × t ⇔ (E ∈ s ∧ F ∈ t) SET1 x\(s, t) s ∈ P(t) ⇔ ∀x · (x ∈ s ⇒ x ∈ t) SET2 x\s E ∈ {x | x ∈ s ∧ P } ⇔ (E ∈ s ∧ [x := E]P ) SET3 x\(s, t) ∀x · (x ∈ s ⇔ x ∈ t) ⇒ s = t SET4 x\s ∃x · (x ∈ s) ⇒ choice(s) ∈ s SET5 infinite(BIG) SET6

Remark 1. The B-Book defines rewrite rules for secondary common constructs: P ∨ Q → ¬P ⇒ Q P ⇔ Q → (P ⇒ Q) ∧ (Q ⇒ P ) ∃x · P → ¬∀x · ¬P

s ⊆ t → s ∈ P(t) s ⊂ t → s ⊆ t ∧ s 6= t 2.2 Type System

The B Method set theory differs from other ones, like the Zermelo-Fraenkel set theory. The main difference consists in the addition of typing constraints to expressions, and the application of a type-checking procedure before proving. This avoids ill-formed formulæ such as ∃x · (x ∈ x), whose negation is provable in ZF, due to the foundation axiom, unlike for the B Method.

(6)

∆ `tcch(P ) ∆ `tcch(Q) T1 ∆ `tcch(P ∧ Q) ∆ `tcch(P ) ∆ `tcch(Q) T2 ∆ `tcch(P ⇒ Q) ∆ `tcch(P ) T3 ∆ `tcch(¬P ) x\s x\∆ ∆, x ∈ s `tcch(P ) T4 ∆ `tcch(∀x · (x ∈ s ⇒ P )) ∆ `tcch(∀x · (x ∈ s ⇒ ∀y · (y ∈ t ⇒ P ))) T5 ∆ `tcch(∀(x, y) · (x, y ∈ s × t ⇒ P )) ∆ `tcch(∀x · (P ⇒ (Q ∧ R))) T6 ∆ `tcch(∀x · ((P ∧ Q) ⇒ R)) ∆ `tcty(E) ≡ ty(F ) T7 ∆ `tcch(E = F ) ∆ `tcty(E) ≡ su(s) T8 ∆ `tcch(E ∈ s) ∆ `tcsu(s) ≡ su(t) T80 ∆ `tcch(s ⊆ t) x ∈ s –@ ∆ ∆ `tcsu(s) ≡ U T9 ∆ `tcty(x) ≡ U ∆ `tcty(E) × ty(F ) ≡ U T10 ∆ `tcty(E, F ) ≡ U ∆ `tcsu(s) ≡ U T11 ∆ `tcty(choice(s)) ≡ U ∆ `tcP(su(s)) ≡ U T12 ∆ `tcty(s) ≡ U x ∈ s –@ ∆ ∆ `tcsu(s) ≡ P(U ) T13 ∆ `tcsu(x) ≡ U ∆ `tcsu(s) × su(t) ≡ U T14 ∆ `tcsu(s × t) ≡ U ∆ `tcP(su(s)) ≡ U T15 ∆ `tcsu(P(s)) ≡ U ∆ `tcch(∀x · (x ∈ s ⇒ P )) ∆ `tcsu(s) ≡ U T16 ∆ `tcsu({x | x ∈ s ∧ P }) ≡ U gi(I) –@ ∆ ∆ `tcI ≡ U T17 ∆ `tcsu(I) ≡ U ∆ `tcsu(s) ≡ P(U ) T18 ∆ `tcsu(choice(s)) ≡ U ∆ `tcT ≡ U T19 ∆ `tcP(T ) ≡ P(U ) ∆ `tcT ≡ U ∆ `tcV ≡ W T20 ∆ `tcT × V ≡ U × W gi(I) –@ ∆ T21 ∆ `tcI ≡ I

Fig. 2. The Type System of the B Method

The typing discipline proposed relies on the monotonicity of set inclusion. For instance, if we have an expression E and two sets s and t such that E ∈ s and s ⊆ t, then E ∈ t. Going further with another set u such that t ⊆ u, we have then E ∈ u. The idea, as explained in the B-Book, is that, given a formula to be type checked, there exists an upper limit for such set containment. This upper limit is called the super-set of s and the type of E. Then, if u is the super-set of s, we obtain the typing information E ∈ u and s ∈ P(u).

Type checking is performed by applying, in a backward way and following the numerical order, the inference rules presented in Fig. 2. Rules dealing with the right-hand side of a typing equivalence ≡ are named with the same number

(7)

primed, forT9toT18. If this decision procedure terminates and does not fail, then

the formula is said to be well-typed. This procedure uses two syntactic categories T ype and T ype_P red:

T ype ::= type(E) | super(s) | T ype × T ype | P(T ype) | identif ier T ype_P red ::= check(P ) | T ype ≡ T ype

In the following, we use ty, su and ch as abbreviations for the keywords type, super and check respectively. As a consequence, the type of an expression E may be either an identifier (see the notion of given set below), the powerset of a type or the cartesian product of two types; and for the particular case of sets, the type of a set is necessarily the powerset of a type.

A type-checking sequent like ∆ `tcch(P ) means that, within the environment

∆, the formula P is well-typed. The environment ∆ is made of atomic formulæ of the form x ∈ s, where x is non-free in s. All free variables in P have to be associated with some atomic formula in ∆. The only exception is for variables in P representing some abstract given sets, introduced at a meta-level discourse like: “Given a set s ...”. Such a given set s, which will be used to type other sets, is introduced in the environment ∆ by the keyword given(s) (gi(s) for short), telling us that s is free in the formula to be type-checked, and has the specific property su(s) = s.

Example 1. Given two sets s and t, the formula:

∀(a, b) · (a, b ∈ P(s × t) × P(s × t) ⇒ {x | x ∈ a ∧ x ∈ b} ⊆ s × t) will be used as a running example in this paper. We want to verify that this formula is well-typed, i.e. verify that the following sequent is satisfied:

gi(s), gi(t) `tc

ch(∀(a, b) · (a, b ∈ P(s × t) × P(s × t) ⇒ {x | x ∈ a ∧ x ∈ b} ⊆ s × t)) By applying the rules of Fig. 2, we obtain the following typing derivation (due to the large size of the tree, we present only the names of rules, starting from the left withT5):

T5 -T4 -T4 -T80-T140T16 -             T4 -T8 -T9 -T13 -T15 -T19 -T130-T150-T19 -T14 -T140T20 -   T17 -T170-T21 T17 -T170-T21 T13 T15 T19 T14 T20 -   T17 -T170-T21 T17 -T170-T21 2.3 Type Annotation

In the B syntax presented in Sec. 2.1, there are two constructs which introduce new bound variables: universal quantification ∀x · P and comprehension set {x | P }. It should be noted that the typing rulesT4 andT16 dealing with these two

(8)

s ∧ P }. Membership x ∈ s is used to type the bound variable x. Unfortunately, typing information is hidden at a set theoretic level. There is no clear distinction between sets and types in the B Method.

For the translation function presented in Sec. 4.2, we want to distinguish the notion of types from the one of sets. We introduce a new syntactic category T for types:

T ::= identif ier | T1× T2| P(T )

And we introduce the notation xT meaning that the variable x has type T .

We now present a procedure to annotate variables with their type. Once the type-checking of a formula is done, the typing tree has environments ∆ at each node, and in particular at leaves, following the syntax:

∆ ::= ∅ | ∆, gi(s) | ∆, x ∈ s

In addition, ∆ is augmented only by ruleT4: if a formula x ∈ s is added, then s

has to be already associated in ∆ (in particular because of rules T9andT13), as

a given set or in a formula like s ∈ t for some already associated set t.

The annotation procedure transforms all the leaf environments ∆, i.e. the environments of the leaves, into annotated environments ∆?, where all variables

and given sets are annotated with their type, then uses these annotated environ-ments to rebuild the typing tree of the (annotated) initial formula in a forward way. It should be noted that in a formula x ∈ s, the set s may be a composition of the two type constructors × and P. We denote this kind of composition by a function symbol f with an arity n. Here is the syntax for ∆?:

∆?

::= ∅ | ∆?, gi(sP(s)) | ∆?, xf (T1,...,Tn)∈ f (sP(T1)

1 , . . . , sP(T

n)

n )

We can now introduce the annotation procedure: 1. For all the leaf environments ∆:

1.1. For all gi(s), we annotate s by its type P(s), and then substitute all occurrences of s in ∆ by sP(s);

1.2. Following the introduction order in ∆, for all x ∈ f (sP(T1)

1 , . . . , s P(Tn)

n ), we

annotate x with its type f (T1, . . . , Tn), and we substitute all occurrences

of x in ∆ by xf (T1,...,Tn);

2. Rebuild the (annotated) initial formula by applying the type-checking tree in a forward way, i.e. from the leaves to the root.

In the following, we denote by P? the formula P where all variables are

annotated. We extend this notation to sets of formulæ Γ , and expressions E. Proposition 1. The annotation is sound.

We have, for a variable x, an expression E and a formula P : 1. If xT is associated in ∆?, ∆?`

tcty(xT) ≡ T ;

2. If ∆ `tcty(E) ≡ U , then ∆?`tcty(E?) ≡ U ;

(9)

The B proof system of Fig. 1 is neutral with respect to variable annotation, so it is always possible to apply the same proof derivation to an annotated formula. The provability of well-typed formulæ is then preserved: Γ `B P if and only if

Γ?` BP?.

Finally, we take the universal closure of all free variables corresponding to given sets. To lighten the presentation in examples, we annotate only the first occurrence of a variable.

Example 2. Going back to the running example, we obtained the following en-vironment ∆ for the leave of the upper branch:

gi(s), gi(t), a ∈ P(s × t), b ∈ P(s × t), x ∈ a It leads to the annotated environment ∆?:

gi(sP(s)), gi(tP(t)), aP(s×t)∈ P(s × t), bP(s×t)∈ P(s × t), xs×t ∈ a

Finally, we obtain the annotated formula: ∀sP(s)· (∀tP(t)· (∀(aP(s×t), bP(s×t)

(a, b ∈ P(s × t) × P(s × t) ⇒ {xs×t| x ∈ a ∧ x ∈ b} ⊆ s × t))) 2.4 The Annotated Set Theory

Axioms SET5 and SET6 are introduced in the B Method set theory for

theoret-ical reasons, like building natural numbers, and are never used in practice, in particular in proof obligations. So, we remove them from this work.

We now define the annotated version of the axioms presented in Sec. 2.1. In addition, we take the universal closure for all free variables.

∀sP(s)· (∀tP(t) · (∀xs· (∀yt· (x, y ∈ s × t ⇔ (x ∈ s ∧ y ∈ t))))) SET1

∀sP(s)· (∀tP(s)· (s ∈ P(t) ⇔ ∀xs· (x ∈ s ⇒ x ∈ t))) SET2

∀sP(s)· (∀ys · (y ∈ {xs| x ∈ s ∧ P } ⇔ (y ∈ s ∧ [x := y]P ))) SET3

∀sP(s)· (∀tP(s)· (∀xs· (x ∈ s ⇔ x ∈ t) ⇒ s = t))

SET4

2.5 Skolemization of Comprehension Sets

We propose an elimination procedure of comprehension sets inside formulæ, based on the definition of new function symbols. The idea to skolemize compre-hension sets is not new, see for instance [12]. In an expression, when meeting a set u of the shape: u = {xT | P (x, sT1

1 , . . . , sTnn)} we apply the following procedure:

1. Define a fresh function symbol fP(T ) of arity n and annotated by P(T );

2. Add to the B set theory, the axiom: ∀sT1 1 · (. . . · (∀s Tn n · (∀x T · (x ∈ fP(T )(s 1, . . . , sn) ⇔ P (x, s1, . . . , sn)))))

3. Replace all the occurrences of u by fP(T )(s

(10)

Remark 2. This skolemization procedure is sound (the new axiom is an instance of axiom SET3), but not complete (it is no more possible to define a set by

comprehension during proof search).

Example 3. Applying skolemization to the running example leads to add the following axiom to the theory:

∀aP(s×t)· (∀bP(s×t)· (∀xs×t· (x ∈ fP(s×t)(a, b) ⇔ x ∈ a ∧ x ∈ b)))

And we obtain the skolemized formula: ∀sP(s)· (∀tP(t)·

(∀(aP(s×t), bP(s×t)) · (a, b ∈ P(s × t) × P(s × t) ⇒ fP(s×t)(a, b) ⊆ s × t)))

2.6 Updated Syntax and Proof System

To conclude this section, we present the new version of the B syntax, with annotated variables, function symbols and without comprehension sets, choice function and BIG. In addition, we suppose that expressions are normalized in the sense that substitutions are reduced, as it is for proof obligations, so we remove substitutions from the syntax. We also merge the two categories for expressions and sets in a single category called E. Finally, we introduce ⊥ := P ∧ ¬P and > := ¬⊥, where P is a fixed formula.

T ::= identif ier | T1× T2| P(T ) P ::= ⊥ | > | P1∧ P2| P1⇒ P2| ¬P | ∀x · P | E1= E2| E1∈ E2 E ::= x | E1, E2| E1× E2| P(E) | fP(T )(E1, . . . , En) x ::= identif ier | xT | xT1 1 , x T2 2

Finally, we enrich the B proof system of Fig. 1 with the two basic rulesBR5

andBR6dealing with ⊥ and >:

BR5 Γ, ⊥ `BQ := BR3 Γ, P ∧ ¬P, ¬Q `BP ∧ ¬P R2 Γ, P ∧ ¬P, ¬Q `BP BR3 Γ, P ∧ ¬P, ¬Q `BP ∧ ¬P R20 Γ, P ∧ ¬P, ¬Q `B¬P R5 Γ, P ∧ ¬P `BQ BR6 Γ `B> := BR5 Γ, ⊥ `BQ BR5 Γ, ⊥ `B¬Q R6 Γ `B¬⊥

3

LLproof: Typed Sequent Calculus of Zenon

3.1 Polymorphic First-Order Logic

We present in this section the polymorphic first-order logic, PFOL for short, used by the sequent calculus proof system LLproof. This presentation is highly inspired by [2].

(11)

A polymorphic signature is a triple Σ = (K, F , P), where K, F and P are countable sets of respectively type constructors k with their arity m, denoted k :: m, function symbols f and predicate symbols P with their type signature σ. σ ::= f : Πα1. . . αm.τ1→ . . . → τn → τ | P : Πα1. . . αm.τ1→ . . . → τn→ o

where α1. . . αmare the m first arguments of f or P and correspond to the type

parameters; τ1, . . . , τn are the following n arguments of f or P and correspond

to the types of the term parameters; τ is the return type of f and o is the return pseudo-type of predicates P (but it is not a type of the language).

The syntax of PFOL is made of types, terms, formulæ and polymorphic for-mulæ. A type τ is either a type variable α or the application of a type constructor k. A term e is either a variable x or the application of a function symbol f to types and terms. A formula ϕ is inductively built from ⊥, >, conjunction, impli-cation, negation, universal quantification over (term) variable, equality between terms and application of a predicate symbol. A polymorphic formula ϕαis a

uni-versal quantification over type variable. The typing rules of PFOL are standard and can be found in [2]. In the following, we may omit the m first type arguments for function and predicate symbols when they are clear from the context.

τ ::= α | k(τ1, . . . , τm)

e ::= x | f (τ1, . . . , τm; e1, . . . , en)

ϕ ::= ⊥ | > | ϕ1∧ ϕ2| ϕ1⇒ ϕ2| ¬ϕ | ∀x : τ.ϕ | e1=τ e2

| P (τ1, . . . , τm; e1, . . . , en)

ϕα ::= ∀α.ϕα| ∀α.ϕ

3.2 The Typed Sequent Calculus Proof System LLproof

In Fig. 3, we present the typed sequent calculus LLproof used by the automated theorem prover Zenon to output proofs. This sequent calculus is close to a tableau method proof system; we are looking for a contradiction, given the negation of the goal as an hypothesis. All formulæ are on the left hand side of the sequent, and the negation of the goal has to be unsatisfiable. In addition, the contraction rule is always applied, leading to a growing context Γ .

This presentation differs with the one in [8], which also introduces the proof system LLproof and its embedding into the proof-checker Dedukti. We remove the rules for equivalence and existential quantification, because these constructs are defined using other ones in the B Method (see Sec. 2.1). Moreover, we replace all rules from the category Special Rules by the new one Subst, since the Subst rule is easier to translate and can be used to define other Special rules [8].

The rules ∀ and ¬∀ dealing with quantification over variables both get a side condition about the type of the chosen instance.

Rule ∀type is applied to instantiate the type variables in axioms with the

(12)

Closure and Quantifier-free Rules ⊥ Γ, ⊥ `LL ⊥ ¬> Γ, ¬> `LL ⊥ Sym Γ, t =τ u, u 6=τt `LL ⊥ Ax Γ, P, ¬P `LL⊥ 6= Γ, t 6=τ t `LL⊥ Γ, P `LL ⊥ Γ, ¬P `LL ⊥ Cut Γ `LL ⊥ Γ, ¬¬P, P `LL ⊥ ¬¬ Γ, ¬¬P `LL ⊥ Γ, P ∧ Q, P, Q `LL⊥ ∧ Γ, P ∧ Q `LL⊥ Γ, ¬(P ⇒ Q), P, ¬Q `LL ⊥ ¬ ⇒ Γ, ¬(P ⇒ Q) `LL ⊥ Γ, P ⇒ Q, ¬P `LL⊥ Γ, P ⇒ Q, Q `LL ⊥ ⇒ Γ, P ⇒ Q `LL ⊥ Γ, ¬(P ∧ Q), ¬P `LL⊥ Γ, ¬(P ∧ Q), ¬Q `LL⊥ ¬∧ Γ, ¬(P ∧ Q) `LL ⊥

Quantifier Rules Over Variables

Γ, ¬∀x : τ. P (x), ¬P (c) `LL ⊥ ¬∀ Γ, ¬∀x : τ. P (x) `LL ⊥ where c : τ is a fresh constant Γ, ∀x : τ. P (x), P (t) `LL ⊥ ∀ Γ, ∀x : τ. P (x) `LL ⊥ where t : τ is any closed term Quantifier Rules Over Type Variables

Γ, ∀α. P (α), P (τ ) `LL ⊥

∀type

Γ, ∀α. P (α) `LL ⊥

where τ is any closed type Special Rule

Γ, P (t), t 6=τu `LL ⊥ Γ, P (t), P (u) `LL ⊥

Subst Γ, P (t) `LL ⊥

Fig. 3. The Typed Sequent Calculus LLproof

4

Translation of B Formulæ into PFOL

4.1 Type Signatures of Primitive Constructs

We start by defining a general skeleton for the type signatures of the B basic constructs. We introduce two type constructors Set and Pair corresponding re-spectively to the B type constructors P and ×. Then, we can define the function symbols (-, -) for ordered pair, P(-) for powerset and -×- for product set. Finally, we define two predicate symbols for membership and equality. For easier reading, we use an infix notation with type arguments subscripted. For instance, - ∈α

(13)

Tske:=                Set(-) :: 1, Pair(-, -) :: 2 (-, -)α1,α2 : Πα1α2. α1→ α2→ Pair(α1, α2) Pα(-) : Πα. Set(α) → Set(Set(α))

- ×α1,α2 - : Πα1α2. Set(α1) → Set(α2) → Set(Pair(α1, α2)) - ∈α - : Πα. α → Set(α) → o

- =α - : Πα. α → α → o

4.2 Translating Formulæ from B to PFOL

We present in Fig. 4 the translation function of B formulæ into PFOL formulæ. This translation, denoted hP i for some B formula P , is made of the three trans-lations hT it for types, hP if for formulæ and hEie for expressions, and a function θ(E) that returns the PFOL type of a B expression E.

One important point in this embedding is the interpretation given to B type identifiers coming from the type annotation procedure (see Sec. 2.3). We inter-pret B type identifiers coming from axioms and hypotheses as type variables (and take the universal closure with respect to them), and B type identifiers of the for-mula to prove (also called goal) as new constants, i.e. nullary type constructors. This allows us to get polymorphic axioms in PFOL and a monomorphic/many-sorted goal. To achieve this, we add to all B formulæ to translate a flag ax for axioms and hypotheses and gl for the goal.

Before presenting the three translation functions, we have to define a function called Sig(f (. . .)), where f is a B function symbol coming from the skolemization of comprehension sets (see Sec. 2.5), that returns the type signature of f . Let F V (e) be the set of free variables of an expression e.

Sig(fP(T )(E

1, . . . , En)) = Π α∈F Vn

1(θ(Ei))

α. θ(E1) → . . . → θ(En) → θ(P(T ))

During the translation procedure, we carry a target PFOL theory T com-posed by the skeleton Tskedefined in Sec.4.1, previously translated formulæ, new

type constructors and new type signatures. Also, for each formula to be trans-lated, we carry a PFOL local context ∆ of bound variables and their type, and a set Ω of pairs of B type identifiers and their corresponding PFOL types, i.e. type variables for axioms and type constants for goals.

Example 4. Continuing with the running example, we first translate axiomsSET1, SET2 and SET4, then the axiom coming from the skolemization, and finally the

goal. To lighten the presentation, we omit the subscripted type arguments of function and predicate symbols of Tskeand we factorize the symbol ∀. The three

set theory axioms become:

∀α1, α2. ∀s : Set(α1), t : Set(α2), x : α1, y : α2. (x, y) ∈ s × t ⇔ (x ∈ s ∧ y ∈ t)

∀α. ∀s : Set(α), t : Set(α). s ∈ P(t) ⇔ ∀x : α. x ∈ s ⇒ x ∈ t ∀α. ∀s : Set(α), t : Set(α). (∀x : α. x ∈ s ⇔ x ∈ t) ⇒ s = t

(14)

θ(E) = match E with | xT → ∆(x) | E1, E2 → Pair(θ(E1), θ(E2)) | E1× E2 → Set(Pair(θ(E1), θ(E2))) | P(E) → Set(θ(E)) | fP(T )(. . .) → Set(hT i t) hT it = match T with

| id when f lag = ax → if id ∈ Ω then return Ω(id) else Ω := Ω, (id, αid) return αid

| id when f lag = gl → if id ∈ Ω then return Ω(id)

else T := T , kid:: 0 ; Ω := Ω, (id, kid) return kid

| T1× T2 → Pair(hT1it, hT2it) | P(T ) → Set(hT it) hP if = match P with | ⊥ | > → ⊥ | > | P1∧ P2 → hP1if∧ hP2if | P1⇒ P2 → hP1if⇒ hP2if | ¬P → ¬ hP if | ∀xT· P → ∀x : hT i t. hP if and ∆ := ∆, x : hT it | ∀(xT1 1 , x T2 2 ) · P →  ∀x1: hT1it.∀x2: hT2it. hP if and ∆ := ∆, x1: hT1it, x2: hT2it | E1= E2 → hE1ie=θ(E1)hE2ie | E1∈ E2 → hE1ie∈θ(E1)hE2ie

hEie= match E with

| xT → x

| E1, E2 → (hE1ie, hE2ie)θ(E1),θ(E2)

| E1× E2 → hE1ie×τ1,τ2hE2ie where

 θ(E1) = Set(τ1)

θ(E2) = Set(τ2)

| P(E) → Pτ(hEie) where θ(E) = Set(τ )

| fP(T )(E 1, . . . , En) → if f : Πα1. . . αm. τ1→ . . . → τn→ τ 6∈ T then T := T , f : Sig(fP(T )(E 1, . . . , En)) return f (τ10, . . . , τm0 ; hE1ie, . . . , hEnie) where    θ(E1) = τ1(τ10, . . . , τ 0 m) · · · θ(En) = τn(τ10, . . . , τ 0 m)

Fig. 4. Translation from B to PFOL

The remainder of the theory, i.e. the signature of f , the axiom defining f and the declaration of the two type constants coming from the translation of the goal, is:

(15)

       k1:: 0, k2:: 0

f : Πα1α2. Set(Pair(α1, α2)) → Set(Pair(α1, α2)) → Set(Pair(α1, α2))

∀α1, α2. ∀a : Set(Pair(α1, α2)), b : Set(Pair(α1, α2)), x : Pair(α1, α2).

x ∈ f (a, b) ⇔ (x ∈ a ∧ x ∈ b)

Finally, the translation of the goal (we unfold the ⊆ definition, see Sec. 2.1) is: ∀s : Set(k1), t : Set(k2), a : Set(Pair(k1, k2)), b : Set(Pair(k1, k2)).

(a, b) ∈ P(s × t) × P(s × t) ⇒ f (a, b) ∈ P(s × t)

5

Translating LLproof Proofs into B Proofs

In Fig. 5, we present the reverse translation, denoted hϕi-1, to translate monomor-phic PFOL formulæ into B formulæ. This reverse translation is simpler than the one presented in Sec. 4.2 because we do not need to translate types, annotations for bound variables and function symbols not being necessary anymore.

hϕi-1f = match ϕ with

| ⊥ | > → ⊥ | > | ϕ1∧ ϕ2 → hϕ1i-1f ∧ hϕ2i-1f | ϕ1⇒ ϕ2 → hϕ1i-1f ⇒ hϕ2i-1f | ¬ϕ → ¬ hϕi-1 f | ∀x : τ. ϕ → ∀x · hϕi-1 f | e1=τe2 → he1i-1e = he2i-1e | e1∈τ e2 → he1i-1e ∈ he2i-1e hei-1 e = match E with | x → x | (e1, e2)τ1,τ2 → he1i -1 e , he2i -1 e | e1×τ1,τ2e2 → he1i -1 e × he2i -1 e | Pτ(e) → P(hei-1e ) | f (τ0 1, . . . , τm0 ; e1, . . . , en) → f (he1i-1e , . . . , heni-1e )

Fig. 5. Translation from PFOL to B

Theorem 1. For a set of B formulæ Γ and a B goal P , if there exists a LLproof proof of the sequent hΓ i , h¬P i `LL⊥, then there exists a set Γ0 of monomorphic

instances of hΓ i, and a B proof of the sequent hΓ0i-1, ¬P `B⊥.

Proof. We present a sketch of the proof.

(16)

Axiom BR3 hP ` P i-1 BR3 h¬P ` ¬P i-1 R5 hP, ¬P ` ⊥i-1 6= R10 h` t =τ ti-1 BR3 h¬(t =τ t) ` ¬(t =τ t)i-1 R5 h¬(t =τ t) ` ⊥i-1 Sym BR3 ht =τ u ` t =τ ui-1 R10 h` t =τ ti-1 BR3 h¬(t =τ t) ` ¬(t =τ t)i-1 R5 h¬(t =τ t) ` ⊥i-1 R9 ht =τ u, ¬(u =τ t) ` ⊥i-1 ¬¬ BR3 h¬P ` ¬P i-1 BR3 h¬¬P ` ¬¬P i-1 R5 h¬¬P ` P i-1 h¬¬P, P ` ⊥i-1 BR4 h¬¬P ` ⊥i-1 ∧ BR3 hP ∧ Q ` P ∧ Qi-1 R2 hP ∧ Q ` P i-1 BR3 hP ∧ Q ` P ∧ Qi-1 R20 hP ∧ Q ` Qi-1 hP ∧ Q, P, Q ` ⊥i-1 BR4 hP ∧ Q, P ` ⊥i-1 BR4 hP ∧ Q ` ⊥i-1 ⇒ hP ⇒ Q, ¬P ` ⊥i-1 h` ¬⊥i-1 BR6 R5 hP ⇒ Q ` P i-1 BR3 hP ⇒ Q ` P ⇒ Qi-1 MP hP ⇒ Q ` Qi-1 hP ⇒ Q, Q ` ⊥i-1 BR4 hP ⇒ Q ` ⊥i-1

Fig. 6. Translations of LLproof Rules into B Proof System (part 1)

2. Given a proof Π of the sequent hΓ i , h¬P i `LL⊥, there exists a proof ΠKleene

of the sequent, starting with all applications of ∀type rules on polymorphic

formulæ, thanks to the permutation of inference rules in sequent calculus [15]. 3. We take the subproof Πmono of ΠKleene, where we removed all the ∀type

nodes and the remaining polymorphic formulæ.

4. The set Γ0of monomorphic instances of hΓ i is made of the root node formulæ of Πmono, except h¬P i.

5. We extend the reverse translation to LLproof sequents, hP1, . . . , Pn `LLQi -1 → hP1i -1 , . . . , hPni -1 `B hQi -1

, and to LLproof proof nodes in Fig. 6 and Fig. 7.

6. hΠmonoi -1

(17)

¬∧ h¬(P ∧ Q), ¬P ` ⊥i-1 BR6 h` ¬⊥i-1 R5 h¬(P ∧ Q) ` P i-1 h¬(P ∧ Q), ¬Q ` ⊥i-1 BR6 h` ¬⊥i-1 R5 h¬(P ∧ Q) ` Qi-1 R1 h¬(P ∧ Q) ` P ∧ Qi-1 Π R5 h¬(P ∧ Q) ` ⊥i-1 where Π := h¬(P ∧ Q) ` ¬(P ∧ Q)i-1 BR3 ¬ ⇒ h¬(P ⇒ Q), P, ¬Q ` ⊥i-1 BR6 h` ¬⊥i-1 R5 h¬(P ⇒ Q), P ` Qi-1 R3 h¬(P ⇒ Q) ` P ⇒ Qi-1 BR3 h¬(P ⇒ Q) ` ¬(P ⇒ Q)i-1 R5 h¬(P ⇒ Q) ` ⊥i-1 ¬∀ h¬∀x : τ.P (x), ¬P (c) ` ⊥i-1 h` ¬⊥i-1 BR6 R5 h¬∀x : τ.P (x) ` P (c)i-1 R7 h¬∀x : τ.P (x) ` ∀x : τ.P (x)i-1 BR3 h¬∀x : τ.P (x) ` ¬∀x : τ.P (x)i-1 R5 h¬∀x : τ.P (x) ` ⊥i-1 ∀ BR3 h∀x : τ. P (x) ` ∀x : τ. P (x)i-1 R8 h∀x : τ. P (x) ` P (t)i-1 h∀x : τ. P (x), P (t) ` ⊥i-1 BR4 h∀x : τ. P (x) ` ⊥i-1 Subst hP (t), ¬(t =τ u) ` ⊥i-1 BR6 h` ¬⊥i-1 R5 hP (t) ` t =τ ui-1 BR3 hP (t) ` P (t)i-1 R9

hP (t) ` P (u)i-1 hP (t), P (u) ` ⊥i-1 BR4

hP (t) ` ⊥i-1

Fig. 7. Translation of LLproof Rules into B Proof System (part 2)

We give in Fig. 6 and Fig. 7 the translations for each LLproof proof node. Each node can be translated to a B derivation where all PFOL sequents are translated into B sequents, leading to a B proof tree. To lighten the presentation, we omit to indicate the context Γ and some useless formulæ (removable by applyingBR2) on

the left-hand side of sequents, and we use ` for `LL. For instance, the translation

of the LLproof Axiom rule should be:

BR3 hΓ, P, ¬P, ¬⊥ `LLP i-1 BR3 hΓ, P, ¬P, ¬⊥ `LL¬P i-1 R5 hΓ, P, ¬P `LL⊥i-1

(18)

Example 5. The proof of the running example is too big to be presented here. Instead, we present the proof translation for the following B formula, given s:

∀x · (x ∈ s ⇒ x ∈ s)

The latter leads to the PFOL formula, where k is a constant: ∀s : Set(k). ∀x : k. x ∈ s ⇒ x ∈ s The LLproof proof is:

Ax cx∈kcs, cx6∈kcs`LL⊥ ¬ ⇒ ¬(cx∈kcs⇒ cx∈kcs) `LL⊥ ¬∀ ¬∀x : k. x ∈kcs⇒ x ∈kcs`LL⊥ ¬∀ ¬∀s : Set(k). ∀x : k. x ∈ks ⇒ x ∈ks `LL⊥

We obtain the B proof (we removed the universal quantification over the given set s, the first R5 node in the translation of ¬∀, some useless formulæ on the

left-hand side of sequents and used ` for `B, c for cxand s for cs):

BR3 c ∈ s ` c ∈ s c 6∈ s ` c 6∈ s BR3 R5 c ∈ s, c 6∈ s ` ⊥ ` ¬⊥ BR6 R5 c ∈ s ` c ∈ s R3 ` c ∈ s ⇒ c ∈ s ¬(c ∈ s ⇒ c ∈ s) ` ¬(c ∈ s ⇒ c ∈ s) BR3 R5 ¬(c ∈ s ⇒ c ∈ s) ` ⊥ ` ¬⊥ BR6 R5 ` c ∈ s ⇒ c ∈ s R7 ` ∀x · (x ∈ s ⇒ x ∈ s)

6

Conclusion

Automated theorem provers are in general made of thousands lines of code, using elaborate decision procedures and specific heuristics. The confidence in such tools may therefore be questioned. The correctness of Zenon proofs is already guaranteed by the checking of proof certificates by an external proof checker. But to prove B proof obligations, Zenon relies on two external tools, bpo2why and Why3, to translate proof obligations into its input format, which raises the question whether the proof found still corresponds to a proof of the original statement.

In this paper, we have formalized a different and direct translation from the B Method to a polymorphic first-order logic. The main purpose of this work is not to replace bpo2why, but to validate the use of Zenon to prove B proof obligations. One of the most challenging part of this translation deals with the encoding of the B notion of types. Our solution to make the axioms polymorphic allows us to benefit from the flexibility of polymorphism. Furthermore, we showed that this translation is sound and gave a procedure to translate Zenon proofs in the B proof system.

As future work, we want to prove the soundness and completeness of the deduction modulo theory [11] extension of the proof system LLproof with regard to those of LLproof, in particular in the case of the B Method.

(19)

References

1. Abrial, J.R.: The B-Book, Assigning Programs to Meanings. Cambridge University Press (1996)

2. Blanchette, J.C., Böhme, S., Popescu, A., Smallbone, N.: Encoding Monomorphic and Polymorphic Types. In: Tools and Algorithms for the Construction and Anal-ysis of Systems, TACAS 2013. Springer (2013)

3. Bobot, F., Filliâtre, J.C., Marché, C., Paskevich, A.: Why3: Shepherd Your Herd of Provers. In: International Workshop on Intermediate Verification Languages (Boogie) (2011)

4. Bodeveix, J.P., Filali, M.: Type Synthesis in B and the Translation of B to PVS. In: Formal Specification and Development in Z and B, ZB. Springer (2002) 5. Boespflug, M., Carbonneaux, Q., Hermant, O.: The λΠ-Calculus Modulo as a

Universal Proof Language. In: Proof Exchange for Theorem Proving (PxTP) (2012) 6. Bonichon, R., Delahaye, D., Doligez, D.: Zenon: An Extensible Automated The-orem Prover Producing Checkable Proofs. In: Logic for Programming Artificial Intelligence and Reasoning (LPAR). LNCS/LNAI, vol. 4790. Springer (2007) 7. Bury, G., Delahaye, D., Doligez, D., Halmagrand, P., Hermant, O.: Automated

Deduction in the B Set Theory using Typed Proof Search and Deduction Modulo. In: LPAR 20 : 20th International Conference on Logic for Programming, Artificial Intelligence and Reasoning. Suva, Fiji (2015)

8. Cauderlier, R., Halmagrand, P.: Checking Zenon Modulo Proofs in Dedukti. In: Fourth Workshop on Proof eXchange for Theorem Proving (PxTP). Berlin, Ger-many (2015)

9. Delahaye, D., Doligez, D., Gilbert, F., Halmagrand, P., Hermant, O.: Zenon Mod-ulo: When Achilles Outruns the Tortoise using Deduction Modulo. In: Logic for Programming Artificial Intelligence and Reasoning (LPAR). LNCS/ARCoSS, vol. 8312. Springer (2013)

10. Delahaye, D., Dubois, C., Marché, C., Mentré, D.: The BWare Project: Building a Proof Platform for the Automated Verification of B Proof Obligations. In: Abstract State Machines, Alloy, B, VDM, and Z (ABZ). LNCS, Springer (2014)

11. Dowek, G., Hardin, T., Kirchner, C.: Theorem Proving Modulo. Journal of Auto-mated Reasoning (JAR) 31 (2003)

12. Dowek, G., Miquel, A.: Cut elimination for zermelo set theory. Archive for Math-ematical Logic. Springer. Submitted (2007)

13. Jacquel, M., Berkani, K., Delahaye, D., Dubois, C.: Verifying B Proof Rules using Deep Embedding and Automated Theorem Proving. Software Engineering and Formal Methods 7041, 253–268 (2011)

14. Jaeger, E., Dubois, C.: Why Would You Trust B? In: Berlin, S. (ed.) Logic for Programming, Artificial Intelligence, and Reasoning. Lecture Notes in Computer Science, Yerevan, Armenia (2007)

15. Kleene, S.C.: Permutability Of Inferences In Gentzens Calculi LK And LJ. In: Bul-letin Of The American Mathematical Society. vol. 57, pp. 485–485. Amer Mathe-matical Soc 201 Charles St, Providence, RI (1951)

16. Mentré, D., Marché, C., Filliâtre, J.C., Asuka, M.: Discharging Proof Obligations from Atelier B using Multiple Automated Provers. In: Abstract State Machines, Alloy, B, VDM, and Z (ABZ). LNCS, vol. 7316. Springer (2012)

17. Schmalz, M.: Formalizing the logic of event-B. Ph.D. thesis, Diss., Eidgenössische Technische Hochschule ETH Zürich, Nr. 20516, 2012 (2012)

Figure

Fig. 1. The Proof System of the B Method
Fig. 2. The Type System of the B Method
Fig. 3. The Typed Sequent Calculus LLproof
Fig. 4. Translation from B to PFOL
+3

Références

Documents relatifs

The application of the FSA score to foods in the French context indicated that the score could be used as a basis for a five-category system, provided marginal adjustments in a few

We can expect (and it is indeed the case) that the combi- natorics of these objects is not easy to describe. In particular, a representation which is adapted to computer

This paper ad- dresses the issues of dening such sequent calculi for Pure Type Systems (PTS, which are based on natural deduction) and then organizing their rules for ef- fective

A type-checker generator In order to provide an efficient and yet simple type checker for the λΠ-calculus modulo we chose to implement it as a type checker generator: a

– Plugins can be programmed to drive the kernel, using its API, through the search space towards an answer provable or not provable; soundness of the answer only relies on the

The sequent calculus LK (T ) manipulates the formulae of first-order logic, with the specificity that every predicate symbol is classified as either positive or negative, and

Therefore, this chapter is organised as follows: Section 5.1 recalls the standard presentation of clause tableaux and connection tableaux for propositional logic, as well as

We have illustrated that, instead of discarding the sequent calculus in search of canonical proof systems, sequent proofs can be systematically abstracted by (maximal)